Zentyal AD password delegation issue

[iamerik]

I've run into a problem with Zentyal running as a domain controller.

Here is my setup:
Zentyal 4 community running on Ubuntu 14.04.2 server.  I installed the Zentyal core and then added the following modules:
DNS, Firewall, Domain controller and file sharing

1 windows server 2012 R2, joined to the domain.

Here is my problem:
From the web console, I can manage all AD objects, including setting passwords.
However, logged into the windows server as a domain admin, I can use Active Directory Users and computers to do everything I could want except for any action involving a password. If I create a new user, I receive, " unknown error contact your system administrator. "

If I try to reset an existing user's password, I receive a more expressive error,
"Windows cannot complete the password change for test user because: the requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation"
Screenshot


I could deal with this besides the fact that I don't know why it is happening and that bothers me.  However, I attempted to install SQL server on the windows server and when I set the domain service accounts for the services the installer throws a generic error, which in my case I believe is related to my AD issue.

Has anyone run into this, tell me where to look for logs with more info, or a fix?

[tessierp]

I am also having the same issue.. No issues if I do not login with the domain account..

[branislav.kopun]

Is there anybody with solution ?

[iamerik]

For the time being, I threw in the towel and spin up a Windows Server Core instance running AD,DNS, and DCHP.
However, was revisiting the site and found this: https://tracker.zentyal.org/issues/3859
Smells pretty similar. 
Don't have the bandwidth right now to spin up boxes and try, but if anyone does before I do, please post results.

[trysomething]

Try creating a user named something you'll remember but likely never use for an actual user account - like "ADAdmin" on your Zentyal box.  Make sure this user is part of the "Domain Admins" group.
If you have PAM enabled cool, just jump into a terminal and add the user to some groups, if not make that a local user on the Zentyal box via:
sudo useradd ADAdmin
Now add it to the root, ebox, www-data and any other groups you like:
sudo usermod -a -G root ADAdmin
usermod -a -G ebox ADAdmin
usermod -a -G www-data ADAdmin
There are a couple of other groups that are handy, I'm not at a point where I can dig everything up though.  Anyways go into your Windows server and move that user way up the domain tree and then give it a go.
I think in the Zentyal Users and Computers>Manage page there's a Schema Admins group too - maybe just add it in there and see what happens.
Personally I just slapped RSAT on my Windows 10 PC and it seems to work just fine.
Oh, almost forgot, you may need to add that user (ADAdmin) onto your Windows server as a local user and then make it a member of everything you want to from there.  I honestly can't remember how exactly I did something really similar but that's enough to get you going on the right path I think.
I'll keep checking back and if I come across my old notes I'll drop a line in here about it.
Hope this is helpful!